Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 02 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Mon, 25 Aug 2025 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*

Sun, 24 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tika
Vendors & Products Apache
Apache tika

Thu, 21 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Thu, 21 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

threat_severity

Critical


Wed, 20 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Description Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Title Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA
Weaknesses CWE-611
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-09-02T12:34:45.683Z

Reserved: 2025-08-04T16:04:26.626Z

Link: CVE-2025-54988

cve-icon Vulnrichment

Updated: 2025-08-21T13:27:27.136Z

cve-icon NVD

Status : Modified

Published: 2025-08-20T20:15:33.070

Modified: 2025-09-02T13:15:34.280

Link: CVE-2025-54988

cve-icon Redhat

Severity : Critical

Publid Date: 2025-08-20T20:08:49Z

Links: CVE-2025-54988 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-08-24T22:19:08Z